Patches have been released now An in-depth analysis of yet another Internet-connected security camera has revealed a host of software problems.Alex Farrant and Neil Biggs, both of the research team for Context Information Security in the U.K, analyzed Motorola’s Focus 73, an outdoor security camera. Images and video taken by the camera can be delivered to a mobile phone app.They found they could take control of the camera remotely and control its movement, redirect the video feed and figure out the password for the wireless network the device is connected to.One attack exploits a cross-site request forgery problem. It was possible to scan for camera connected to the Internet and then get a reverse root shell. By tampering with DNS settings, they could intercept the alerts that the camera sends to its owner. The attack code that could enable that tampering could be planted on a Web page, they wrote in a blog post.“If someone were to view a web page containing the snippet of script, it could compromise and subvert every vulnerable camera on their network automatically,” they wrote. “Surveillance indeed.” The DNS trick meant they can also see FLV video clips that would normally be sent to a cloud storage service used by the device.The Motorola Focus 73, which is actually manufactured by Binatone, also had a problem when connecting to a home Wi-Fi network.When a person’s home network is selected from a list, “you must enter your private Wi-Fi security key, which is then broadcasted unencrypted over the open network,” they wrote.Then there’s a firmware issue. The firmware was written by a company called CVision. It appears to be generic code that was used in other kinds of IP cameras, “presumably to reduce development and support costs,” they wrote.The firmware is not encrypted or digitally signed. The research team added a backdoor to its code, which they could then upload to the camera.“Firmware should be signed and encrypted as a minimum to stop bad firmware uploads or tampering,” they wrote. “Failure to do this not only carries security risks but also business risks.” Context notified Motorola Monitors of the issues in early October. Since then, Motorola and partners that have built software for the device — including Bintone, Hubble Connected, Nuvoton and CVision — have worked on patches.Firmware updates were released a month later, and more fixes “are currently being rolled out to customers’ cameras via an automated update process,” they wrote. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe